If many modern information security practitioners had been tasked with protecting commerce in the face of piracy, they would probably have bought ever more elaborate but largely ineffective defensive measures.

Instead, the royal navies of the area decided to hunt down pirates and hang them. Sure, the pirates continued their raids for a long time, but eventually the main players (England, France, Spain, Holland) stopped warring amongst themselves and directed their offensives against the pirates.

We're not going to see any fundamental changes in information security until those we elect to protect our rights rise to the task and go on the offensive. Private companies (especially modern ones) aren't in a position to "strike back" against threats -- that's the role for the police and militaries of the world. It's time to kill some pirates, not leave "critical infrastructure protection" to the "private sector."

8 comments:

If you liked this show, you'll probably want to read Under the Black Flag: The Romance and Reality of Life Among the Pirates. It's pretty much the standard work on the subject now, and no doubt one of the main sources the producers used. And it's only about $4 on Amazon if you don't mind buying used. 8-)

The military-infosec comparison is worn out and obviously DOES NOT WORK. (See Richard's blog post on FISMA 2007 specifically the DoD's F/F score). This way of thinking makes for a reader-grabbing controversial blog post, but it doesn't make a lot of sense these days. Oh if it were only as simple as "Hey, they have a pirate flag, get them!"

Taking physical action against the threat is really the least intelligent way of securing your network. It just doesn't scale. When you turn the testosterone down and actual think about what you are suggesting, it doesn't make a lot of sense. Attackers will just better mask their location and alter tactics. Sure, dropping a JDAM on a group of attackers or kidnapping a few of them will scare some... But we're not going to attack China or any other nation.

I'll start by saying that we'd be entering dangerous territory if the MPAA/RIAA is handing the DoD grid coordinates to kill pirates. :) But I'll assume you don't mean that we should be using the military to solve private industry's woes. I assume you mean more serious threats.

So why can't the US government beat the Chinese at their own game? Is the problem so insurmountable that we have to resort to physical action? You don't see the Chinese attacking other countries, or "killing pirates" to solve their network security woes.

Now, there are exceptions to what I am about to say. There probably are smart, skilled and out-of-the-box thinkers who work for the federal government either directly or as contractors. I am sure there are some very smart minds at the NSA, etc. However in my experience the US government typically doesn't attract the most skilled security people. Most of the "good" security people work in private industry. We all know it. The guys who are highly skilled run security tools, all the rest live in Excel spreadsheets and do C&A work. The government has a real problem attracting and keeping top talent. Instead, they hire government contractor body shops. "This analyst doesn't know what nmap is but at least they have a clearance. Put them on site and bill them out!"

Whenever I hear about a huge security gaffe (e.g. Unisys's performance at DHS) I just chuckle. And now the USAF wants to start an "offensive wing". Buy 5,000 Core Impact licenses and declare MISSION ACCOMPLISHED! Who's going to drive Core Impact (or any other vendor solution that the gov was suckered into paying 1 million dollars for)? Who cares! As long as they have their clearance and they have their CISSP.

China on the other hand doesn't have this issue. They seem to walk into our networks on a daily basis. It's not a budgeting issue. Everyone knows that the DoD has a HUGE IT security budget and access to a ton of vendor solutions. I wonder what our problem is???